EP2311235A2 - Method for access control within a network comprising a pep and a pdp - Google Patents
Method for access control within a network comprising a pep and a pdpInfo
- Publication number
- EP2311235A2 EP2311235A2 EP10700699A EP10700699A EP2311235A2 EP 2311235 A2 EP2311235 A2 EP 2311235A2 EP 10700699 A EP10700699 A EP 10700699A EP 10700699 A EP10700699 A EP 10700699A EP 2311235 A2 EP2311235 A2 EP 2311235A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- obligations
- obligation
- pdp
- pep
- language
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000011156 evaluation Methods 0.000 claims abstract description 8
- 238000001514 detection method Methods 0.000 claims description 12
- 230000010354 integration Effects 0.000 claims description 2
- 230000004044 response Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 6
- 230000006978 adaptation Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000005266 casting Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/78—Architectures of resource allocation
- H04L47/782—Hierarchical allocation of resources, e.g. involving a hierarchy of local and centralised entities
Definitions
- the present invention relates to a method for access control within a network, especially for control of access of a subject to a resource of the network, wherein a PEP (Policy Enforcement Point) sends an access request for evaluation to a PDP (Policy Decision Point) and wherein the PDP may send a reply which may contain at least one obligation to the PEP. Further, the present invention relates to a network, wherein access control is provided, especially control of access of a subject to a resource of the network, wherein a PEP (Policy Enforcement Point) sends an access request for evaluation to a PDP (Policy Decision Point) and wherein the PDP may send a reply which may contain at least one obligation to the PEP.
- a PEP Policy Enforcement Point
- OASIS Organization for the Advancement of Structured Information Standards
- XACML OASIS extensible Access Control Markup Language
- XACML OASIS extensible Access Control Markup Language
- the policy language is flexible enough to cover approaches like Core and Hierarchical Role Based Access Control, the handling of obligation is quit neglected. Although this is quite an important issue especially to support privacy and advanced tracing of data flow. As an example the obligation could enforce the accessing unit to use a certain encryption for data persistency issues, or ensure that a specific action is performed within a given time frame. This is obtainable from Q.
- the aforementioned object is accomplished by a method comprising the features of claim 1 and a network comprising the features of claim 27.
- the method is characterized in that for specifying obligations a meta-language is used.
- the network is characterized in that for specifying obligations a meta-language is defined.
- the meta-language could be a generic language.
- a generic language could allow for a generic description of obligations even in a distributed environment.
- a detection and/or specification of possible conflicts between the obligations could be provided on the basis of the specification of the obligations and/or of definitions based on the meta-language.
- Such a detection and/or specification of possible conflicts between the obligations could be provided in a general way or depending on the assignment of at least one matching value to at least one parameter of each obligation or for two obligations. In other words, such a detection and/or specification could be provided depending on the matching assignment of at least one parameter for two obligations.
- a negotiation with regard to a respective support of the obligations by PEP and PDP could be provided on the basis of the specification and/or of definitions based on the meta-language.
- the present invention can specify a meta-language to specify obligations and potential conflicts between them as well as a method to exchange this specification between the PDP and PEP and negotiate the support of the obligations specified.
- the description of the supported obligation or obligations and their potential conflicts in a meta-language will be one major aspect of preferred embodiments of this invention.
- the present invention describes a method using the specifications based on this language to specify the capabilities of PDP and PEP.
- incompatibility between the PEP and PDP could be detected beforehand.
- the negotiation phase allows the PDP and PEP to request the compatibility of their required and supported obligations, respectively. In case of some mismatches resolution methods could be applied.
- this negotiation process could be repeated at run-time to change the set of obligations used between PDP and PEP.
- the negotiation process could be skipped and a direct/manual exchange of the obligation specification could be done.
- this specification is not fully supported by the PEP the deployment has failed. Otherwise, both PDP and PEP could refer to supported obligation specification.
- the specification or specifications of the obligations are negotiated during the deployment of the PEP and PDP.
- the negotiation could be repeated at run-time. During run-time the detection of conflicts between the specifications is also possible.
- the negotiation between the PDP and PEP could comprise three types of messages, termed request message, reply message and resolve message. Based on said three types of messages an effective negotiation is possible.
- the negotiation could be initiated by the PDP or the PEP. Both cases are possible and could be implemented by an operator.
- meta-language or specification of obligations could be realized as an extension of or an integration in the XACML standard.
- minor amendments and/or additions to an existing standard are necessary for realizing the present invention.
- an obligation could contain a unique identifier.
- the unique identifier is an URI and a set of parameters whose data types can be specified through URIs.
- URIs a very simple handling of obligations
- a policy schema could be independent from already existing or previous definitions or schemata, if a dependency from such already existing or previous definitions or schemata is not requested.
- Such a common obligation specification could be independent from the policy schema, for providing a well-defined and clear structure of components.
- the PEP and/or the PDP could check that a response from the PDP contains only an obligation or obligations used in the common obligation specification. Thus, only negotiated obligations could be used.
- a relationship model of the specified obligations could be generated preferably by the PEP and/or the PDP. If a relationship between obligations exists, the possible conflict could be either resolved or escalated for further handling.
- the PEP and the PDP could be independent from each other.
- the PEP and the PDP could be provided in a distributed environment.
- the present invention is particularly effective with regard to handling of obligations.
- the obligation specification and/or definition and/or negotiation could be dynamic.
- the present invention is providing a method for specifying arbitrary obligations including their parameters, and potential conflicts between them, either in a general way or depending on the dynamic values assigned, usable to detect incompatibilities during deployment as well as at run-time with additional conflict detection at run-time. Further, conflict detection and resolution based on obligation relations as well as negotiation of supported obligations of the PEP and required obligation of the PDP before regular operation are possible.
- the present invention is providing a distributed and independent PEP and PDP implementation with support of arbitrary obligations. Further, detection of obligation incompatibilities between PEP and PDP during deployment and detection of conflicts between combined obligations at run-time are possible.
- Fig. 1 is illustrating a structure of an extension of an existing standard according to the invention.
- Fig. 2 is illustrating an overview of the usage of the inventive method.
- Fig. 1 is obtainable the structure of an extension of the existing XACML standard.
- a generic meta-language is presented according to the invention.
- the policy schema is shown as an extension of a current policy schema within Fig. 1.
- the policy specification is based on the policy schema and is defining the identifier of the respective obligation or obligations which can be processed.
- the obligation schema is comprising the structure of defining an obligation.
- the obligation specification is comprising the type of obligation, e.g. obligation of sending a notification to a given address.
- the policy specification is based on the policy schema and refers to the obligation specification.
- the obligation specification is based on the obligation schema, see Fig. 1.
- Fig. 2 is illustrating an overview of an example of usage of the specification of obligations.
- the negotiation process could be initiated by the PDP or the PEP.
- the initiator first sends a list with the request obligations.
- the receiver analyses this list and indicates whether it either supports this obligation or does not support this obligation. For the later case it could indicate a potential solution, either by indicating that the parameter list of an obligation does not match, or the types of a parameter are different on a first glance. If no solutions are available the negotiation could be terminated with a failure.
- the initiator could react on proposed solution by either accepting fixed values - including empty ones - for the parameters, or accept a casting of the values to a different type. Additionally, it could withdraw an obligation or ask the other side to ignore it, in case it shows up. Finally, the negotiation process could be terminated with a failure at this point as well.
- This negotiation process could be repeated at run-time to change the set of obligations used between PDP and PEP. In special cases the negotiation process could be skipped and direct/manual exchange of the obligation specification could be done. In case this specification is not fully supported by the PEP the deployment has failed. Otherwise both PDP and PEP could refer to supported obligation specification.
- the PDP ensures during the loading of policy specification(s) that it only contains those defined in the obligation specification. Independently the PEP could check each access reply whether it contains only those obligation specified. The usage of incompatible obligation specification could be checked based on the supported obligation specification. Independently PEP and PDP could generate a relationship model of all obligation contained in the obligation specification. Various techniques could be used for efficient implementation of this relationship model including but not limited to graphs, linked lists, or hash maps. Based on a conflict a unidirectional relationship - e.g. inclusion - is created and the relevant parameters and the resulting conflicts are given. For a given reply the contained obligation could be checked for a relationship either in the general case or based on the concrete parameter values. If a relationship exists the resulting conflict could be either resolved or escalated for further handling.
- the invention is providing a generic description of obligation, especially within a distributed environment.
- Required and supported obligations can be exchanged between PDP and PEP to avoid unknown obligations at run-time. It is possible to identify different categories of relations between obligations. Conflicting obligations can be detected in ongoing access requests.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP10700699A EP2311235A2 (en) | 2009-01-09 | 2010-01-11 | Method for access control within a network comprising a pep and a pdp |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP09000215 | 2009-01-09 | ||
PCT/EP2010/000086 WO2010079144A2 (en) | 2009-01-09 | 2010-01-11 | A method for access control within a network and a network |
EP10700699A EP2311235A2 (en) | 2009-01-09 | 2010-01-11 | Method for access control within a network comprising a pep and a pdp |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2311235A2 true EP2311235A2 (en) | 2011-04-20 |
Family
ID=42316899
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP10700699A Withdrawn EP2311235A2 (en) | 2009-01-09 | 2010-01-11 | Method for access control within a network comprising a pep and a pdp |
Country Status (5)
Country | Link |
---|---|
US (1) | US20110264816A1 (zh) |
EP (1) | EP2311235A2 (zh) |
JP (1) | JP2012503455A (zh) |
CN (1) | CN102273173A (zh) |
WO (1) | WO2010079144A2 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9256757B2 (en) * | 2010-06-17 | 2016-02-09 | Sap Se | Prefetch of attributes in evaluating access control requests |
CN102006297B (zh) * | 2010-11-23 | 2013-04-10 | 中国科学院软件研究所 | 一种基于两级策略决策的访问控制方法及其系统 |
US9332132B1 (en) * | 2014-11-26 | 2016-05-03 | Tsc Acquisition Corporation | System and method for reclaiming obligated network resources |
CN106656937A (zh) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | 一种访问控制方法和访问令牌颁发方法、设备 |
US20170230419A1 (en) * | 2016-02-08 | 2017-08-10 | Hytrust, Inc. | Harmonized governance system for heterogeneous agile information technology environments |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3636948B2 (ja) * | 1999-10-05 | 2005-04-06 | 株式会社日立製作所 | ネットワークシステム |
US6970930B1 (en) * | 1999-11-05 | 2005-11-29 | Mci, Inc. | Method and system of providing differentiated services |
CN100384141C (zh) * | 2002-11-01 | 2008-04-23 | 艾利森电话股份有限公司 | 分布网络中基于策略控制的方法和系统 |
JP4251008B2 (ja) * | 2003-04-30 | 2009-04-08 | 日本電気株式会社 | ネットワーク間接続装置の自動設定システム及びそれに用いる自動設定方法 |
WO2005009003A1 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | Distributed policy enforcement using a distributed directory |
FR2857807B1 (fr) * | 2003-07-18 | 2005-12-02 | Cit Alcatel | Procede de transaction pour un approvisionnement de regles dans un reseau gere a base de regles |
US8046763B1 (en) * | 2004-02-20 | 2011-10-25 | Oracle America, Inc. | Regulation of resource requests to control rate of resource consumption |
WO2006108436A1 (en) * | 2005-04-08 | 2006-10-19 | Telefonaktiebolaget Lm Ericsson (Publ.) | Policy-based management in communications network |
JP4729365B2 (ja) * | 2005-08-12 | 2011-07-20 | 株式会社野村総合研究所 | アクセス制御システム、認証サーバ、アクセス制御方法およびアクセス制御プログラム |
US9407662B2 (en) * | 2005-12-29 | 2016-08-02 | Nextlabs, Inc. | Analyzing activity data of an information management system |
US20100131650A1 (en) * | 2008-11-26 | 2010-05-27 | Chou Lan Pok | Methods and Apparatus to Support Network Policy Managers |
US8228812B2 (en) * | 2008-12-12 | 2012-07-24 | Electronics And Telecommunications Research Institute | Method and system for providing multicast service in next-generation network |
-
2010
- 2010-01-11 US US13/142,085 patent/US20110264816A1/en not_active Abandoned
- 2010-01-11 CN CN2010800041321A patent/CN102273173A/zh active Pending
- 2010-01-11 JP JP2011528372A patent/JP2012503455A/ja active Pending
- 2010-01-11 WO PCT/EP2010/000086 patent/WO2010079144A2/en active Application Filing
- 2010-01-11 EP EP10700699A patent/EP2311235A2/en not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO2010079144A2 * |
Also Published As
Publication number | Publication date |
---|---|
JP2012503455A (ja) | 2012-02-02 |
WO2010079144A2 (en) | 2010-07-15 |
US20110264816A1 (en) | 2011-10-27 |
WO2010079144A3 (en) | 2010-10-07 |
CN102273173A (zh) | 2011-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9692792B2 (en) | Method and system for managing security policies | |
Uszok et al. | Kaos: A policy and domain services framework for grid computing and semantic web services | |
US7051107B2 (en) | Distributed environment type computer system able to achieve high speed consecutive message communications by service layer | |
JP5689500B2 (ja) | 権限管理に基づく端末装置管理のための方法 | |
CN102447585B (zh) | 将网络配置协议响应报文转换为命令行的方法及装置 | |
US20110264816A1 (en) | method for access control within a network and a network | |
US20090063584A1 (en) | Versioning management | |
US8365261B2 (en) | Implementing organization-specific policy during establishment of an autonomous connection between computer resources | |
KR20190061060A (ko) | 프로파일 기반 콘텐츠 및 서비스들 | |
US11500690B2 (en) | Dynamic load balancing in network centric process control systems | |
WO2008061113A2 (en) | System and method for utilizing xml documents to transfer programmatic requests in a service oriented architecture | |
US20110010754A1 (en) | Access control system, access control method, and recording medium | |
CN111739190B (zh) | 车辆诊断文件加密方法、装置、设备及存储介质 | |
Agrawal et al. | Policy technologies for self-managing systems | |
CN111198678A (zh) | 一种生成GraphQL前端操作接口的方法及装置 | |
KR20090055890A (ko) | 전파식별 응용 인터페이스 제공방법 및 시스템 | |
CN105740656A (zh) | 数据权限管理方法及装置 | |
US9819732B2 (en) | Methods for centralized management API service across disparate storage platforms and devices thereof | |
Barrett et al. | A model based approach for policy tool generation and policy analysis | |
KR101064201B1 (ko) | 웹 데이터의 권한 관리 장치, 웹 데이터의 권한 관리 방법을 컴퓨터에서 실행시키기 위한 기록매체, 그리고 권한 관리 정보 제공 장치 및 방법 | |
Kotur et al. | Utilization of design patterns in AUTOSAR Adaptive standard | |
Koshutanski et al. | Interoperable semantic access control for highly dynamic coalitions | |
US10171595B2 (en) | Method, apparatus, and software for identifying a set of options for the provision of a service | |
CN112118247B (zh) | 一种车联网数据加密方法及系统 | |
CN117812163A (zh) | 多协议数据的兼容处理方法、装置、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20110304 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA RS |
|
17Q | First examination report despatched |
Effective date: 20110707 |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20140410 |